
---
apiVersion: v1
kind: Namespace
metadata:
  name: kuma-system
  labels:
    kuma.io/system-namespace: "true"
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: kuma-control-plane
  namespace: kuma-system
  labels: 
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: kuma-control-plane-config
  namespace: kuma-system
  labels: 
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
data:
  config.yaml: |
    # use this file to override default configuration of `kuma-cp`
    #
    # see conf/kuma-cp.conf.yml for available settings
---
apiVersion: v1
kind: Service
metadata:
  name: kuma-global-zone-sync
  namespace: kuma-system
  annotations:
  labels: 
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
spec:
  type: LoadBalancer
  ports:
    - port: 5685
      appProtocol: grpc
      name: global-zone-sync
  selector:
    app: kuma-control-plane
  
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
---
apiVersion: v1
kind: Service
metadata:
  name: kuma-control-plane
  namespace: kuma-system
  labels: 
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
  annotations:
    prometheus.io/port: "5680"
    prometheus.io/scrape: "true"
spec:
  type: ClusterIP
  ports:
    - port: 5680
      name: diagnostics
      appProtocol: http
    - port: 5681
      name: http-api-server
      appProtocol: http
    - port: 5682
      name: https-api-server
      appProtocol: https
  selector:
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kuma-control-plane
  namespace: kuma-system
  labels: 
    app: kuma-control-plane
    app.kubernetes.io/name: kuma
    app.kubernetes.io/instance: kuma
  annotations: 
    
spec:
  replicas: 1
  minReadySeconds: 0
  strategy:
    rollingUpdate:
      maxSurge: 1
      maxUnavailable: 0
  selector:
    matchLabels:
      app.kubernetes.io/name: kuma
      app.kubernetes.io/instance: kuma
      app: kuma-control-plane
  template:
    metadata:
      annotations:
        checksum/config: fd9d1d8386f97f2bd49e50f476520816168a1c9f60bbc43dec1347a64d239155
        checksum/tls-secrets: 75a11da44c802486bc6f65640aa48a730f0f684c5c07a42ba3cd1735eb3fb070
      labels: 
        app: kuma-control-plane
        app.kubernetes.io/name: kuma
        app.kubernetes.io/instance: kuma
    spec:
      affinity: 
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - 'kuma'
                - key: app.kubernetes.io/instance
                  operator: In
                  values:
                  - 'kuma'
                - key: app
                  operator: In
                  values:
                  - 'kuma-control-plane'
              topologyKey: kubernetes.io/hostname
            weight: 100
      securityContext:
        runAsNonRoot: true
      serviceAccountName: kuma-control-plane
      automountServiceAccountToken: true
      nodeSelector:
        
        kubernetes.io/os: linux
      hostNetwork: false
      terminationGracePeriodSeconds: 30
      initContainers:
        - name: migration
          image: "docker.io/kumahq/kuma-cp:0.0.1"
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          env:
            - name: KUMA_DEFAULTS_SKIP_MESH_CREATION
              value: "false"
            - name: KUMA_ENVIRONMENT
              value: "universal"
            - name: KUMA_GENERAL_WORK_DIR
              value: "/tmp/kuma"
            - name: KUMA_MODE
              value: "global"
            - name: KUMA_PLUGIN_POLICIES_ENABLED
              value: "meshaccesslogs,meshcircuitbreakers,meshfaultinjections,meshhealthchecks,meshhttproutes,meshloadbalancingstrategies,meshmetrics,meshproxypatches,meshratelimits,meshretries,meshtcproutes,meshtimeouts,meshtraces,meshtrafficpermissions"
            - name: KUMA_STORE_POSTGRES_PORT
              value: "5432"
            - name: KUMA_STORE_POSTGRES_TLS_CA_PATH
              value: "/var/run/secrets/kuma.io/postgres-tls-cert/ca.crt"
            - name: KUMA_STORE_POSTGRES_TLS_MODE
              value: "verifyFull"
            - name: KUMA_STORE_TYPE
              value: "postgres"
          args:
            - migrate
            - up
            - --log-level=info
            - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml
          resources:
            limits:
              memory: 256Mi
            requests:
              cpu: 500m
              memory: 256Mi
          volumeMounts:
            - name: postgres-tls-cert-ca
              subPath: ca.crt
              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
              readOnly: true
            - name: kuma-control-plane-config
              mountPath: /etc/kuma.io/kuma-control-plane
              readOnly: true
      containers:
        - name: control-plane
          image: "docker.io/kumahq/kuma-cp:0.0.1"
          imagePullPolicy: IfNotPresent
          securityContext:
            readOnlyRootFilesystem: true
          env:
            - name: KUMA_DEFAULTS_SKIP_MESH_CREATION
              value: "false"
            - name: KUMA_ENVIRONMENT
              value: "universal"
            - name: KUMA_GENERAL_WORK_DIR
              value: "/tmp/kuma"
            - name: KUMA_MODE
              value: "global"
            - name: KUMA_PLUGIN_POLICIES_ENABLED
              value: "meshaccesslogs,meshcircuitbreakers,meshfaultinjections,meshhealthchecks,meshhttproutes,meshloadbalancingstrategies,meshmetrics,meshproxypatches,meshratelimits,meshretries,meshtcproutes,meshtimeouts,meshtraces,meshtrafficpermissions"
            - name: KUMA_STORE_POSTGRES_PORT
              value: "5432"
            - name: KUMA_STORE_POSTGRES_TLS_CA_PATH
              value: "/var/run/secrets/kuma.io/postgres-tls-cert/ca.crt"
            - name: KUMA_STORE_POSTGRES_TLS_MODE
              value: "verifyFull"
            - name: KUMA_STORE_TYPE
              value: "postgres"
            - name: KUMA_INTER_CP_CATALOG_INSTANCE_ADDRESS
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
          args:
            - run
            - --log-level=info
            - --log-output-path=
            - --config-file=/etc/kuma.io/kuma-control-plane/config.yaml
          ports:
            - containerPort: 5680
              name: diagnostics
              protocol: TCP
            - containerPort: 5681
            - containerPort: 5682
            - containerPort: 5443
          livenessProbe:
            timeoutSeconds: 10
            httpGet:
              path: /healthy
              port: 5680
          readinessProbe:
            timeoutSeconds: 10
            httpGet:
              path: /ready
              port: 5680
          resources:
            limits:
              memory: 256Mi
            requests:
              cpu: 500m
              memory: 256Mi
          
          volumeMounts:
            - name: kuma-control-plane-config
              mountPath: /etc/kuma.io/kuma-control-plane
              readOnly: true
            - name: postgres-tls-cert-ca
              subPath: ca.crt
              mountPath: /var/run/secrets/kuma.io/postgres-tls-cert/ca.crt
              readOnly: true
            - name: tmp
              mountPath: /tmp
      volumes:
        - name: postgres-tls-cert-ca
          secret:
            secretName: postgres-ca
        - name: kuma-control-plane-config
          configMap:
            name: kuma-control-plane-config
        - name: tmp
          emptyDir: {}
